Security Issues Galore Await You in the Internet Of Things

“Everything will talk to everything, and it will be an enormous legal and security nightmare.”

The Internet of Things (IoT) — what happens when you connect everything to the Internet, from coffee mugs and washing machines to cell phones and cars and jet engines — makes us feel like the Jetsons/Matrix/Dick Tracy future we’ve always wanted is finally here.

There is no doubt you are already familiar with many IoT devices. By 2020, there will be 26 billion Things, and that estimate does not include smartphones, computers, and tablets. Those are just plain old Internet devices. There are already a number of smartwatches, ranging from the aggressively utilitarian to the downright fancy. You can also buy a refrigerator that will let you know if you are running low on beer, thanks to an internal camera and chat app.

Grab some connected home devices alongside the Wink app, and you can tell your smart deadbolt lock to tell your smart lights and smart A/C to turn on as you walk through the door.1

Other IoT devices in the pipeline will have several practical applications for attorneys and professionals. Who doesn’t want a car that will drive itself while you update some case notes? Everything will talk to everything, and it will be an enormous legal and security nightmare.

Now, to be clear, we aren’t talking about an overwrought dystopian horror show where machines come alive like Maximum Overdrive …

… though that is definitely terrifying. Instead, we are talking about an Internet of Things that is, at least at this point, nearly completely unregulated.

At first glance, the possibility of things going wrong with Things seems trivial and even a bit comic. Your smart fridge goes mad and orders a metric ton of cheese. In real life, the possibility of your Things going awry are much subtler and actually much worse. The Chairwoman of the Federal Trade Commission, Edith Ramirez, spoke at the Consumer Electronics Show in Vegas earlier this year and outlined some key concerns.

First, your newly connected world is going to collect data. Tons of data.

Ubiquitous data collection refers to the cumulative impact of multiple sensing and tracking technologies, which — working in symphony — could sketch a “deeply personal and startlingly complete picture of each of us”, said Ramirez, with the massive volume of collected data allowing analysis that generates additional sensitive inferences.

Connected devices are also increasing the sensitivity of the data collected, as sensors and devices find their way into the most intimate spaces in our lives: our homes, our cars, and even onto our bodies.

If your car is helpfully collecting data on where you go, how you get there, and how long you stay, you are creating a (quite literal) road map to your client’s location. That might be fine if you retained ultimate control of that data, but the entire point of IoT is that it only works if data is flowing constantly. Worse still, what if your hypothetical future client is an IoT aficionado? She is also going to be creating a road map of her travels — data that may very well be discoverable.

Next, all that data being scooped out of your car, your refrigerator, your thermostat, and your television is not your data. It is data that belongs to Apple, Samsung, LG, Ford, and Microsft, just to name a few. And, Ramirez pointed out, companies have never been shy about selling your data.

So, rather than being used to enhance the experience of the particular product a consumer bought, the data a connected device harvests might be funneled off elsewhere — and be used by prospective employers to judge the merits of a job application, for instance, or insurance companies to ascertain the risk of accepting a new customer, and so on.

Besides creating massive amounts of data that you do not necessarily want that will be kept by private companies, the Internet of Things also holds the potential for data security breaches that will eclipse the scale of the Target or Home Depot breaches.

Twenty-six billion Things all connected together in the next five years? That is twenty-six billion more connected objects that are hacking targets.

Your cool automated home office with the smart thermometer and smart lock? Those devices are running on your home network. Those devices are two more entry points into your wireless network and all of your data.

Regrettably, as much as the FTC seems aware of the potential problems, it does not seem all that interested in regulating the security of these devices. Writing at Re/code, FTC Commissioner Terrell McSweeny offered a very tepid suggestion about the security issues.

To mitigate security risks, the FTC recommends that IoT device manufacturers incorporate security into the design of connected products. Properly implemented, security by design requires manufacturers to consider security throughout the entirety of a product’s lifecycle.

This means, for example, incorporating security practices into the culture of a corporation, bringing security expertise into the design phase of a product, working with vendors who prioritize it, and establishing breach protocols that can be implemented when flaws are discovered or attacks occur. Specific security measures required may depend on a number of factors, including the sensitivity of the information collected by a device and the costs of remedying security vulnerabilities.

While it is nice to think companies will be mindful of security considerations, particularly concerning sensitive material, plenty of companies have shown no restraint collecting and storing mounds of often-unsecured data.

So industry self-regulation seems very much like wishful thinking. It is likely the security landscape of the Internet of Things will be carved out by trial and massive error as new devices become available. So, as appealing as that smart fridge or wireless furnace controller might be, you may wish to exercise some caution in the brave new world of Things for your and your future client’s sake.